coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cp, ln, mv, install: check for vulnerable target directories


From: Paul Eggert
Subject: Re: cp, ln, mv, install: check for vulnerable target directories
Date: Wed, 20 Sep 2017 00:09:46 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

Bernhard Voelker wrote:
I'm also worried about compatibility here: the user will be
confused why cp, mv etc from coreutils are not 'just working'
anymore ... he will try -f first, and then simply use something
else (rsync, whatever).

You're right, we should probably disable this checking if -f is used.

As for the user being confused, currently the diagnostic looks like this:

$ cp passwd /tmp/d/passwd
cp: vulnerable target directory '/tmp/d/passwd' (append '/' to use anyway)

and suggestions to improve the wording to avoid confusion are welcome. My assumption is that typically when this diagnostic is given, users will either be surprised that the destination is a directory at all, and will slow down and ask why; or they'll be annoyed that the copy doesn't work, and append / to make it work.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]